FTP (21) data through Firewall (ipchains)

Sun Aug 12 18:15:36 EST 2001

> In the IPCHAINS HOWTO real-world example, it gives something like this:
>
>                ipchains -A good-bad -J MASQ
>                ipchains -A bad-good -J REJECT
>
>
> Where good-bad is your local ethernet to the internet, and bad-good is 
> internet to your local interface.
> When the ip_masq_ftp module is installed, you should have no worries. 
> No high ports need to be allowed through (as long as you're not 
> restricting access FROM the local ethernet TO the internet; do you 
> trust your users?).
>
>
> The ipchains howto directly addresses the FTP issue, it's all there.
>
> James
>
> alfred wrote:
>
>> the ip_masq_ftp module adds some logic to the ipchains rules to let 
>> it understand how an ftp session operates, mainly so it can direct 
>> the incoming data connect back to your internal masq'd machine. It 
>> does not allow you to present an internal ftp server to the outside 
>> world (thats what port forwarding does).
>>
>> Your problem is that your firewall denies any incoming requests 
>> before the masq module can get to it and forward it on. The only 
>> solution is to open up a whole range of ports (1024-65535), or to 
>> only use PASV ftp (which is what I do now, I love anal firewall rules 
>> ;) , or get iptables (haven't played with it yet, but I trust that 
>> rusty has done a good job once again ;)
>>
>>
>>
>> Neil Pickford wrote:
>>
>>> No no-one mentioned this, however I just had a look and I do have 
>>> the ip_masq_ftp module enabled in rc.firewall startup script.
>>>
>>> After further reading the HOWTO it seems that this facility allows 
>>> forwarding of external FTP requests to an internal server not on the 
>>> masq machine.  This is not really what i'm trying to do.
>>> Then again I may be wrong as to the intention of IP_MASQ_FTP.
>>>
>>> I am trying to give internal machines access to FTP (off the web)
>>> via the masquerade.  At the moment I am blocking incoming internet 
>>> ftp requests.
>>>
>>> Any further advice is appreciated.
>>> Neil Pickford
>>>
>>> James Ring wrote:
>>>
>>>> Has anybody mentioned the kernel module ip_masq_ftp?
>>>>
>>>> If you are masquerading your traffic out an interface, then insmod'ing
>>>> the ip_masq_ftp module will mean that FTP to remote hosts just works.
>>>> It's what I use at home.
>>>>
>>>> Cheers,
>>>> James
>>>>
>>>> Neil Pickford wrote:
>>>>
>>>>
>>>>> Thanks
>>>>> Unfortunately I'm not ready to move to 2.4.x yet.
>>>>> I have decided to create a script to enable and disable
>>>>> the ftp-data ports from 1024:65535 when I need them.
>>>>>
>>>>> Just a bit more hassle.
>>>>>
>>>>> Neil Pickford
>>>>>
>>>>> Martijn van Oosterhout wrote:
>>>>>
>>>>>
>>>>>> On Sat, Aug 11, 2001 at 07:06:58PM +1000, Neil Pickford wrote:
>>>>>>
>>>>>>
>>>>>>> Hello
>>>>>>>
>>>>>>> I have been securing up my server an have established an input
>>>>>>> chain where the default is to deny traffic over the dialup 
>>>>>>> connection
>>>>>>> to my ISP.  Previously the default was allow. (ipchains)
>>>>>>>
>>>>>>> I have now punched holes in the input chain for just the services
>>>>>>> (ports) that I am using, however how do I handle allowing FTP data
>>>>>>> connections where I have initiated the FTP connection, but FTP
>>>>>>> chooses a random port number for the data link.
>>>>>>>
>>>>>>>
>>>>>> Well, one solution is to only allow passive FTP, that's easier to 
>>>>>> firewall.
>>>>>> The ideal solution is to use iptables, where you can match RELATED
>>>>>> connections, thus solving the problem entirly.
>>>>>>
>>>>>>
>>>>>>> I could open up all TCP ports from 4096 to 65535 but I think
>>>>>>> that defeats the purpose of the firewall.
>>>>>>>
>>>>>>>
>>>>>> You could argue that since no programs listen on those ports 
>>>>>> normally, they
>>>>>> don't need to be firewalled because any connection to those ports 
>>>>>> is likely
>>>>>> to be legit (if it succeeds).
>>>>>>
>>>>>>
>>>>>>> Can anyone point me in the right direction here?
>>>>>>>
>>>>>>>
>>>>>> iptables is the real solution, anything else will be a compromise.
>>>>>>
>>>>>>
>>>>>>> Slackware 2.2.13 using ipchains and masquerade to a private class C
>>>>>>> Only 1 static IP address in use for the server that is running WWW,
>>>>>>> Caching DNS, XNTPD, SMTP & POP3 (all these are working fine)
>>>>>>>
>>>>>>>
>>>>>> but iptables is not avaible on 2.2 (unless someone backported 
>>>>>> it). You could
>>>>>> go for 2.4.
>>>>>>
>>>>>> HTH,
>>>>>> -- 
>>>>>> Martijn van Oosterhout <kleptog at svana.org>
>>>>>> http://svana.org/kleptog/
>>>>>>
>>>>>>
>>>>>>> It would be nice if someone came up with a certification system 
>>>>>>> that
>>>>>>> actually separated those who can barely regurgitate what they 
>>>>>>> crammed over
>>>>>>> the last few weeks from those who command secret ninja 
>>>>>>> networking powers.
>>>>>>>
>>>>>>>
>>
>>
>
>
>